This is the accessible text file for GAO report number GAO-03-342 entitled 'Food-Processing Security: Voluntary Efforts Are Under Way, but Federal Agencies Cannot Fully Assess Their Implementation' which was released on March 18, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products’ accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. Report to Congressional Requesters: United States General Accounting Office: GAO: February 2003: Food-Processing Security: Voluntary Efforts Are Under Way, but Federal Agencies Cannot Fully Assess Their Implementation: GAO-03-342: GAO Highlights: Highlights of GAO-03-342, a report to Senators Richard J. Durbin and Tom Harkin: Why GAO Did This Study: The events of September 11, 2001, have placed added emphasis on ensuring the security of the nation’s food supply. GAO examined (1) whether FDA and USDA have sufficient authority under current statutes to require that food processors adopt security measures, (2) what security guidelines FDA and USDA have provided to industry, and (3) what security measures food processors have adopted. What GAO Found: Federal food safety statutes give the Food and Drug Administration (FDA) and the U.S. Department of Agriculture (USDA) broad authority to regulate the safety of the U.S. food supply but do not specifically authorize them to impose security requirements at food-processing facilities. However, these agencies’ food safety statutes can be interpreted to provide authority to impose certain security measures. FDA believes that its statutes authorize it to regulate food security to the extent that food security and safety overlap but observes that there is little overlap between security and safety. USDA believes that it could require food processors to adopt certain security measures that are closely related to sanitary conditions inside the facility. USDA also believes that the statutes, however, cannot be interpreted to authorize the regulation of security measures tha are not associated with the immediate food-processing environment, such as requiring fences, alarms, and outside lighting. Neither agency believes that it has the authority to regulate all aspects of security at food-processing facilities. Both FDA and USDA issued voluntary security guidelines to help food processors identify measures to prevent or mitigate the risk of deliberate contamination. Because these guidelines are voluntary, neither agency enforces, monitors, or documents their implementation. Both FDA and USDA have asked their inspectors to be vigilant and to discuss security with managers at food-processing facilities, but the agencies have stressed that inspectors should not enforce the implementation of security measures or document any observations because of the possible release of this information under the Freedom of Information Act and the potential for the misuse of this information. Since FDA and USDA do not monitor and document food processors’ implementation of security guidelines, the extent of the industry’s adoption of security measures is unknown. According to officials of trade associations and the five facilities we visited, however, food processors are implementing a range of security measures. In addition, the FDA and USDA field inspectors we surveyed indicated that most facilities have implemented some security measures, such as installing fences. However, the inspectors were less able to comment on security measures that were not as obvious, such as accounting for missing stock and implementing proper mail-handling practices. The inspectors also noted that while USDA has provided some of its field supervisory personnel with security training on the voluntary security guidelines it issued, it has not provided most of its inspectors with such training. FDA has not provided its staff with any training on the security guidelines. Without training on the security guidelines, inspectors are limited in their ability to conduct informed discussions regarding security with managers at food-processing facilities. What GAO Recommends: This report recommends that the Secretaries of the Departments of Health and Human Services and Agriculture study their agencies’ existing statutes to identify what additional authorities they may need relating to security measures at food-processing facilities to reduce the risk of deliberate contamination of the food supply. On the basis of these studies’ results, the agencies should seek additional authority from the Congress, as needed. GAO also recommends that the agencies provide training for all food inspection personnel to enhance their awareness and ability to discuss security measures with plant personnel. USDA agreed with this report’s recommendations. FDA agreed with the recommendation to provide training for all food inspection personnel but took no position on GAO’s other recommendation. www.gao.gov/cgi-bin/getrpt?GAO-03-342. To view the full report, including the scope and methodology, click on the link above. For more information, contact Lawrence J. Dyckman at (202) 512-3841 or dyckmanl@gao.gov. Contents: Letter: Results in Brief: Background: Existing Food Safety Statutes Do Not Provide Sufficient Authority to Regulate All Aspects of Security at Food-Processing Facilities: FDA and FSIS Issued Voluntary Security Guidelines to Food Processors but Do Not Track or Document the Extent to Which They Are Being Implemented: Food Processors Are Implementing a Range of Security Measures, but Extent of Implementation Is Largely Unknown to FDA and FSIS: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II; FDA Survey Results: Appendix III: FSIS Survey Results: Appendix IV: Comments from the U.S. Department of Agriculture: Appendix V: Comments from the Food and Drug Administration: Appendix VI: GAO Contacts and Staff Acknowledgments: Table: Table 1: State Officials’ Satisfaction with Federal, State, and Industry Efforts to Safeguard Food Products from Deliberate Contamination: Figures: Figure 1: Examples of Security Measures Contained in FDA and FSIS Guidelines: Figure 2: Percentage of Survey Responses Indicating Observation or Knowledge of More Visible Security Measures: Figure 3: Percentage of Survey Responses Indicating Observation or Knowledge of Less Visible Security Measures: Abbreviations: CDC: Centers for Disease Control and Prevention: EPA: Environmental Protection Agency: FBI: Federal Bureau of Investigation: FDA: Food and Drug Administration: FSIS: Food Safety and Inspection Service: GAO: General Accounting Office: HACCP: Hazard Analysis and Critical Control Point: ISAC: Information Sharing and Analysis Center: USDA: U.S. Department of Agriculture: This is a work of the U.S. Government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. It may contain copyrighted graphics, images or other materials. Permission from the copyright holder may be necessary should you wish to reproduce copyrighted materials separately from GAO’s product. February 14, 2003: The Honorable Richard J. Durbin Ranking Democratic Member Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia Committee on Governmental Affairs United States Senate: The Honorable Tom Harkin Ranking Democratic Member Committee on Agriculture, Nutrition and Forestry United States Senate: Ensuring the safety of the nation’s food supply--protecting the food supply from unintentional contamination--is a key objective of the Department of Health and Human Service’s Food and Drug Administration (FDA) and the Food Safety and Inspection Service (FSIS) of the U.S. Department of Agriculture (USDA). Since the terrorist attacks of September 11, 2001, however, ensuring food security--that is, protecting the food supply from deliberate contamination--has also become a heightened concern of these agencies. Bioterrorism experts, government officials, and scientists at the Centers for Disease Control and Prevention (CDC) and the National Academies warn that U.S. food- processing facilities are vulnerable to terrorist attack and that the deliberate introduction of biological and chemical agents into food supplies could sicken large numbers of people and possibly cause many deaths. Some experts note that terrorist groups could introduce infectious disease agents and chemicals into the food supply to confuse public health officials into believing that outbreaks were naturally occurring, thus delaying detection and action. Recognizing this risk, on October 8, 2001, the President added the agriculture and food industries to the list of critical infrastructure sectors needing protection from terrorist attack. Although the U.S. food supply has been mostly secure from deliberate contamination, a few such incidents have occurred. In 1984, for example, a cult group poisoned salad bars in some Oregon restaurants with Salmonella bacteria, and about 750 people became ill. Some large naturally occurring outbreaks of foodborne illness that result from accidental contamination illustrate how widespread and costly the effects of deliberate contamination could be. In 1994, for example, 224,000 people nationwide were infected with Salmonella enteritidis after eating a national brand of ice cream. This outbreak was estimated to have cost about $18.1 million, including $6.9 million for medical care and $11.2 million in time lost from work. The intentional contamination of the food supply could have severe consequences for the economy and the health of the American public. Security measures that could minimize the risk of such an event at food-processing facilities range from restricting visitor access, securing hazardous chemicals, and restricting access to in-plant laboratories to conducting employee background checks, building fences around facilities, and designating a food security management coordinator. In this context, you asked us to determine (1) the extent to which federal statutes can be effectively used to regulate food security at food-processing facilities; (2) what actions FDA and USDA have taken to help food processors prevent or reduce the risk of deliberate food contamination and how these agencies determine the extent to which food-processing facilities are implementing security measures; and (3) the extent to which industry is implementing security measures to better protect food products against deliberate contamination. While experts acknowledge that a terrorist attack could be aimed also at livestock and crops on farms or at foods at retail stores, this review focused on the food-processing segment of the farm-to-table food continuum--that is, from the farm gate to the retail level. Also, we confined our review to domestic food processors, although we recognize that both FDA and USDA have intensified their efforts to enhance the oversight of imported foods at U.S. ports of entry. In conducting our work, we sought the cooperation of industry associations to survey a representative number of food-processing facilities. We also sought permission to visit some food-processing facilities to discuss the extent to which they are implementing security measures, although we acknowledge that industry is not obligated to respond to our inquiries. We were unsuccessful in our attempts to survey a representative number of food-processing facilities because companies were concerned about sharing information on security measures; however, we were able to secure visits to five companies. To obtain a broader overview of the security measures being adopted, we also surveyed FDA and USDA food inspectors to obtain their views on the extent of security they have observed at food-processing facilities they inspect across the country. We also asked state audit offices in all 50 states to interview a selected number of state food safety regulatory officials concerning their food security activities, if any. Eleven agreed to participate. Appendix I contains the details of our scope and methodology. We conducted our review from February through December 2002 in accordance with generally accepted government auditing standards. Results in Brief: Federal food safety statutes provide FDA and USDA with broad authority to regulate the safety of the U.S. food supply but do not specifically authorize them to impose security requirements at food-processing facilities. However, while these agencies’ food safety statutes can be interpreted to provide authority to impose certain security requirements, as opposed to food safety requirements, neither agency believes it has the authority to regulate all aspects of security. FDA believes that its authorities under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act would extend to the regulation of facility security measures to prevent the intentional contamination of food products to the extent that they overlap with food safety. However, FDA observes that there is little overlap between safety and security. USDA believes that the Federal Meat, Poultry Products, and Egg Products Inspection Acts can be construed to authorize it to require food processors to adopt certain security measures that are closely related to sanitary conditions inside food- processing plants. In addition, USDA believes that the statutes cannot be interpreted to authorize the regulation of security measures that are not associated with the immediate food-processing environment. As a result, USDA does not believe it has the authority to require that food processors adopt measures to ensure security outside the premises, such as installing fences, or to require that food processors conduct employee background checks. Both FDA and USDA have issued voluntary guidelines to help food processors identify measures they can implement to prevent or mitigate the risk of deliberate contamination. Because these guidelines are voluntary, neither agency monitors or documents their implementation. Also, FDA and FSIS have instructed their food safety inspectors to be familiar with the agencies’ guidelines as they conduct regular food safety inspections and to discuss, but not interpret, the security guidelines with facility personnel. The agencies have told inspectors not to document the existence or lack of security measures because of the possible release of this information under the Freedom of Information Act and the potential for the misuse of this information. As a result, FDA and FSIS do not have information on the extent of security at food-processing facilities or whether gaps in security may exist in specific industry sectors. FDA and USDA lack comprehensive information on the extent to which food-processing companies are adopting security measures. However, officials from the food trade associations that we contacted believe that food processors are voluntarily implementing a range of security measures, including those in the federal guidelines--from limiting access to facilities to evaluating plant security. Although we found this to be the case at the five food-processing facilities we visited, we could not verify the extent to which industry has adopted security measures nationwide--in part, because food-processing facilities prefer not to share information about their security measures with federal agencies. They are concerned that this sensitive information could be released to the public under the Freedom of Information Act. In particular, the industry is worried that if security gaps at food- processing facilities were made public they could provide a road map for terrorist groups. FDA and FSIS officials also cited this concern as a factor that limits the amount of information they believe they can collect. In addition, according to FDA and FSIS food inspectors we surveyed, the food-processing facilities they regularly inspect are voluntarily implementing a range of security measures and most facilities have implemented measures to enhance perimeter fencing and lighting. On the other hand, these inspectors were less able to comment on less-visible security measures, such as accounting for missing stock and implementing proper mail-handling practices. The inspectors also indicated that larger food-processing facilities are implementing more security measures than smaller ones. Finally, the FDA inspectors that we surveyed stated that they had not received training on food security even though the agency encourages them to discuss security matters with plant personnel. FSIS has provided training to its supervisory field inspection personnel, who reported that it would be beneficial if the field inspectors--who are most directly involved with daily processing activities at each plant--were also trained on security measures. This report recommends that the Secretary of the Department of Health and Human Services and the Secretary of Agriculture study what additional authorities their agencies may need relating to security measures at food-processing facilities to reduce the risk of deliberate contamination of the food supply. On the basis of the results of these studies, the agencies should seek additional authority from the Congress, as needed. The report also recommends executive action aimed at ensuring that the agencies’ field personnel are provided with training on food security measures. We provided FDA and USDA with a draft of this report for their review and comment and received written and oral comments from both agencies on the report’s contents and its recommendations. The agencies also provided technical comments, which we incorporated into the report as appropriate. USDA agreed with the two recommendations made in this report. FDA agreed with our recommendation that it provide all food inspection personnel with training on security measures. FDA did not have an opinion on our recommendation that the agency study what additional authorities it may need relating to security measures at food-processing facilities. USDA’s comments are contained in appendix IV, and FDA’s comments are provided in appendix V. Background: Under the Federal Meat Inspection Act, the Poultry Products Inspection Act, and the Egg Products Inspection Act, USDA, through FSIS, is responsible for ensuring the safety of meat, poultry, and certain egg products. Under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, FDA is responsible for all other foods, including fruits and vegetables; dairy products; seafood; and certain canned, frozen, and packaged foods. The food-processing sector is generally described as the middle segment of the farm-to-table continuum--it extends from the time livestock and crops leave the farm for slaughter and processing into food until it reaches retail establishments. FDA and FSIS work to ensure the safety of food products processed in the United States through a regulatory system of preventive controls that identifies hazards early in the production process to minimize the risk of contamination. Known as the Hazard Analysis and Critical Control Point (HACCP) system, it makes food-processing facilities responsible for developing a plan that identifies harmful microbiological, chemical, and physical hazards that are reasonably likely to occur and establishes critical control points to prevent or reduce contamination.[Footnote 1] Through their inspection programs, FDA and FSIS verify that food processors are implementing their HACCP plans. FDA inspects over 57,000 food facilities every 5 years on average, and USDA inspects over 6,000 meat and poultry slaughter and processing facilities daily. Individual states also conduct yearly inspections of about 300,000 food-processing facilities, including small firms with fewer than 10 employees and large corporations with thousands of employees and multiple processing plants located in many states. Both FDA and FSIS have the authority to take enforcement actions as necessary to ensure that facilities meet the agencies’ safety and sanitation regulatory requirements. As we reported in 2001, in fiscal year 1999, the latest year for which such information was available, FDA, FSIS, and the states spent a total of about $1.3 billion on food safety activities.[Footnote 2] Following the events of September 11, 2001, the federal government intensified its efforts to address the potential for deliberate contamination of agriculture and food products. On October 8, 2001, the President issued an executive order establishing the Office of Homeland Security, which added the agriculture and food industries to the list of critical infrastructure systems needing protection from terrorist attack. In addition, the Congress provided FDA and USDA with emergency funding to prevent, prepare for, and respond to potential bioterrorist attacks through the Department of Defense Appropriation Act of 2002: $97 million for FDA and $15 million for FSIS. For the most part, FDA has used the emergency funds to enhance the security of imported food by hiring new inspectors and increasing inspections at U.S. ports of entry. FSIS has used its emergency funds to support its food security activities, which include, among other things, providing educational and specialized training. FDA’s fiscal year 2003 budget builds upon funding received from the fiscal year 2002 appropriation plus the fiscal year 2002 emergency supplemental funding of $97 million to counter terrorism. FDA plans to seek additional funding in the future for food safety activities and security activities related to terrorism. FSIS is asking for an additional $28 million. The Congress also enacted the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which contains numerous provisions designed to enhance the safety and security of the food, drug, and water industries.[Footnote 3] In addition, both FDA and USDA have taken many actions to better protect the food supply against deliberate contamination. For example, FDA has hired 655 new food safety investigators and laboratory personnel in the field. In addition, it has participated in several exercises at the federal and state levels to enhance emergency response procedures. Furthermore, FDA is working with CDC to initiate and implement a nationwide Laboratory Response Network for foods to identify laboratory capacity for testing agents that could be used to deliberately contaminate food. It has also provided additional laboratory training for food safety personnel and sought stakeholders’ input to develop regulations that are required by the new bioterrorism legislation. Moreover, FDA worked with the Office of the Surgeon General, U.S. Air Force, to adapt a version of the Operational Risk Management approach to examine the relative risks of intentional contamination during various stages of food production and distribution.[Footnote 4] Within the Department of Health and Human Services, both FDA and CDC have worked closely with federal, state, and local agencies to enhance their surveillance of diseases caused by foodborne pathogens. FDA’s efforts to reduce food security risks also include working with other federal agencies, trade associations, and the Alliance for Food Security. USDA has formed a Homeland Security Council to develop a Department- wide plan to coordinate efforts between all USDA agencies and offices. The Department has also established the FSIS Office of Food Security and Emergency Preparedness to centralize the Department’s work on security matters. USDA has also coordinated with other government agencies, such as the Office of Homeland Security, the Federal Bureau of Investigation (FBI), and FDA, to develop prevention, detection, and response procedures to better protect the nation’s food supply.[Footnote 5] USDA will be increasing the number of import inspectors by 20. These inspectors will place special emphasis on food security in addition to their traditional food safety role. In addition, USDA has participated in several exercises at the federal and state levels to enhance response procedures and has conducted risk assessments for domestic and imported food. Since this review began, USDA has conducted three simulation exercises at the Department and agency level to test the Department’s response to a terrorist attack and is planning three additional simulations for the spring of 2003. USDA has also conducted preparedness-training sessions for veterinarians and circuit supervisors. (Circuit supervisors supervise the work of in-plant inspection personnel and discuss the security guidelines with them.): Experts from government and academia generally agree that terrorists could use food products as a vehicle for introducing harmful agents into the food supply. Just recently, the National Academies reported that terrorists could use toxic chemicals or infectious agents to contaminate food production facilities and that, although much attention has been paid to ensuring safety and purity throughout the various stages of processing and distribution, protecting the food supply from intentional contamination has not been a major focus of federal agencies.[Footnote 6] Among other things, the report says that FDA should act promptly to extend its HACCP methodology so that it could be used to deal effectively with the deliberate contamination of the food supply. In February 2002, CDC reported that although the food and water systems in the United States are among the safest in the world, the nationwide outbreaks due to unintentional food or water contamination demonstrate the ongoing need for vigilance in protecting food and water supplies.[Footnote 7] All of the bioterrorism experts whom we consulted from academia agreed that the food supply is at risk. Existing Food Safety Statutes Do Not Provide Sufficient Authority to Regulate All Aspects of Security at Food-Processing Facilities: The food safety statutes do not specifically authorize FDA or USDA to require food processors to implement any type of security measures designed to prevent the intentional contamination of the foods they produce.[Footnote 8] While these agencies’ food safety statutes can be interpreted to provide authority to impose certain security requirements, as opposed to food safety requirements, neither agency believes it has the authority to regulate all aspects of security. Counsel in the Department of Health and Human Service’s Office of the Assistant Secretary for Legislation advised that FDA’s authorities under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act provide FDA with tools to adopt measures to control insanitary preparation, packing, and holding conditions that could lead to unsafe food; detect contamination of food; and control contaminated food. However, Counsel also advised that FDA’s food safety authorities do not extend to the regulation of physical facility security measures. FDA’s counsel provided a similar assessment, telling us that, to the extent that food safety and security overlap, FDA might be able to require the industry to take precautionary steps to improve security but observed that there is little overlap between safety and security. One area where safety and security do overlap is in the handling of hazardous materials. FDA’s existing safety regulations specify that hazardous chemicals should be stored so that they cannot contaminate food products. This requirement overlaps with FDA’s food security guidelines advising that hazardous chemicals be stored in a secure area and that access to them be limited. USDA, on the other hand, has a somewhat more expansive view of the extent to which its statutory authority allows it to require food processors to adopt certain security measures. USDA’s general counsel concluded that to the extent that security precautions pertain to activities closely related to sanitary conditions in the food preparation process, FSIS has the authority to require food processors to implement certain security measures.[Footnote 9] The general counsel concluded that FSIS could require facilities to develop and maintain a food security management plan concerning their response to an actual threat involving product tampering, since this is directly related to food adulteration. Such a plan could be added to a current HACCP plan or it could be entirely separate. USDA also believes that FSIS has authority to mandate its “inside security” guidelines, such as controlling or restricting access to certain areas, monitoring the operation of equipment to prevent tampering, and keeping accurate inventories of restricted ingredients and hazardous chemicals. Similarly, USDA believes that many of its security measures that address shipping and receiving food products or protecting water and ice used in processing products also could be made mandatory. These measures include putting tamper-proof seals on incoming and outgoing shipments and controlling access to water lines and ice storage. On the other hand, USDA believes that the “outside security” measures included in its guidelines, such as securing plant boundaries and providing guards, alarms, and outside lighting, have little to do with sanitation in the facility or the immediate food-processing environment and, therefore, could not be made mandatory under existing authorities. With respect to the guidelines’ personnel security measures, USDA noted that FSIS has limited authority over personnel matters at food- processing facilities and could not require facilities to perform personnel background checks before hiring. FDA and FSIS Issued Voluntary Security Guidelines to Food Processors but Do Not Track or Document the Extent to Which They Are Being Implemented: In response to the nation’s growing concerns regarding the potential for deliberate contamination of the food supply, FDA and USDA issued guidelines to the food-processing industry suggesting measures to enhance security at their facilities. Among other things, the guidelines suggests conducting a risk assessment, developing a plan to address security risks at plants, and adopting a wide range of security measures inside and outside the premises. Food-processing facilities are not required to adopt any of the security measures but are encouraged to adopt those that they feel are best suited for their operations. Although both agencies have alerted their field inspection personnel to be vigilant about security issues, they have also told the inspectors that they are not authorized to enforce these measures and have instructed them not to document their observations regarding security because of the possible release of this information under the Freedom of Information Act and the potential for the misuse of this information. As a result, FDA and USDA currently do not know the extent to which food security measures are being implemented at food- processing facilities. In contrast, the Congress directed medium-size and large-size community water systems, which are privately or publicly owned, to assess their vulnerability to terrorist attacks and to develop an emergency response plan to prepare for such an event. The act also authorized funding to be used for basic security enhancements, such as the installation of fencing, gating, lighting, or security cameras. This approach enables the Environmental Protection Agency (EPA) to monitor the water industry’s security efforts and could be a possible model for the food safety agencies. Industry’s Compliance with Security Guidelines Is Voluntary: In 2002, FDA and FSIS each issued voluntary security guidelines to the food-processing industry to help federal-and state-inspected plants identify ways to enhance their security.[Footnote 10] The agencies encouraged food processors, among others, to review their current operations and adopt those security measures suggested in the guidelines that they believed would be best suited for their facilities. Officials from both FDA and FSIS told us that there was little or no coordination between the two agencies in developing these guidelines. The FDA guidance contains over 100 recommended security measures covering seven areas of plant operation, such as managing food security, physical (outside) security, and computer security. FSIS’s guidelines contain 68 security measures and cover seven areas of plant operation. Figure 1 summarizes key aspects of both agencies’ voluntary security guidelines for industry. FDA and FSIS have made the guidelines available on the Internet.[Footnote 11] These guidelines are very similar--one difference is that FSIS’s contain security measures for slaughter facilities. Figure 1: Examples of Security Measures Contained in FDA and FSIS Guidelines: [See PDF for image] [End of figure] Some state governments have also acted to protect food products from deliberate contamination. We learned from 11 state auditing offices that food safety regulatory officials from most of these states are providing industry or state inspectors with guidelines, either in the form of the FDA and FSIS guidelines or guidelines developed by the state officials themselves.[Footnote 12] In addition, three states have enacted new legislation or regulations addressing the security of food products. FDA and FSIS Instruct Their Inspectors to Be Observant: Although FDA and FSIS do not assess the extent to which food processors are implementing security measures, the agencies have asked their field inspection personnel to be on heightened alert and to discuss, but not interpret, the security guidance with facility officials during their routine food safety inspections.[Footnote 13] However, both FDA and USDA have instructed their field inspection personnel to refrain from enforcing any aspects of the security guidelines because the agencies generally believe that they lack such authority. They have also instructed their field personnel not to document plants’ security measures because they are concerned that such information would be subject to Freedom of Information Act requests. More specifically, FDA’s instructions to its field personnel specify that they should neither perform a comprehensive food security audit of the establishment nor conduct extensive interviews to determine the extent to which preventive measures suggested in the guidelines have been adopted. The goals, according to FDA, are to heighten industry’s awareness of food security practices, facilitate an exchange of information between FDA and industry on the subject of food security, and encourage plant management to voluntarily implement those preventive measures that they believe are most appropriate for their operation. In short, FDA inspectors are encouraged to discuss food security concerns with plant management and to provide them with copies of the guidelines. Although the exact details of such discussions are not to be recorded, inspectors are required to document in their inspection reports that such discussions took place and that they gave a copy of the guidelines to facility management. Similarly, FSIS has informed its field inspectors that they have no regulatory duties regarding the enforcement of the guidelines. Initially, the agency instructed its inspectors to refer any questions from facility managers to USDA’s Technical Service Center in Omaha, Nebraska.[Footnote 14] Recently the agency modified its position regarding direct discussions of food security and now allows inspectors to discuss, but not interpret, security with facility management. Inspectors are still instructed not to document these conversations or enforce the adoption of any security measure. Officials from both agencies expressed concerns about gathering security information from facilities because it could be subject to public disclosure through Freedom of Information Act requests. If terrorists gained access to this information, it could give them a road map to target the most vulnerable areas in a food-processing plant. Water Security Provisions in the 2002 Bioterrorism Act Are a Possible Model for the Food Safety Agencies: Recent congressional efforts to better protect the nation’s drinking water from terrorist acts may offer a model for FDA and USDA to help monitor security measures adopted at food-processing facilities as well as to identify any security gaps that may exist at these facilities. Although there are differences in how the government regulates drinking water and food, food and water are essential daily consumption elements, and both are regulated to ensure their safety. In June 2002, the Congress enacted the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which, among other things, amended the Safe Drinking Water Act. The Bioterrorism Act requires medium-size and large-size community water systems (those serving over 3,300 people), which are privately and publicly owned, to certify to EPA that they have assessed their vulnerability to a terrorist attack and developed emergency plans to prepare for and respond to such an attack. These water systems serve 91 percent of the United States’ population. Each community’s water system is required to conduct a vulnerability assessment and submit a copy of the assessment to EPA.[Footnote 15] The act specifies that the vulnerability assessment is exempt from disclosure under the Freedom of Information Act, except for the identity of the community water system and the date on which it certifies compliance. Community water systems are also required to prepare an emergency response plan that incorporates the results of their vulnerability assessments. In addition, the act authorizes funding for financial assistance to community water systems to support the purchasing of security equipment, such as fencing, gating, lighting, or security cameras. Food Processors Are Implementing a Range of Security Measures, but Extent of Implementation Is Largely Unknown to FDA and FSIS: FDA and FSIS lack comprehensive information on the extent to which food-processing companies are adopting security measures. However, officials from the majority of the food trade associations that we contacted believe that their members are implementing a range of measures to enhance security at their facilities. We found that the five food-processing facilities we visited in various geographic regions around the country are also implementing an array of security measures that range from developing risk assessment plans to hiring security contractors.[Footnote 16] Furthermore, our survey of FDA and FSIS inspectors indicates that, generally, food-processing facilities are implementing a range of security measures. The survey responses indicate, however, that the inspectors were more aware of those security measures that were the most visible to them during the course of their regular food safety inspections.[Footnote 17] Trade Association Officials Indicate That Industry Is Implementing Various Security Measures: According to trade association officials, food processors are voluntarily taking steps to prevent the deliberate contamination of their products, including adopting many of the measures suggested by FDA and FSIS, such as installing fences, requiring that employees wear identification, and restricting access to certain plant areas. Association officials told us that most large food-processing facilities already have ample security plans that include many of the recommendations made by FDA and FSIS. One trade association recently conducted a survey of its members and asked for their opinions about FSIS’s Guidelines. Most of the respondents indicated that they were aware of the guidelines; they believed the guidelines were for the most part practical and workable; and they used them in their security plans. However, these officials were unable to provide data on the extent to which the food-processing industry is implementing security measures to prevent or mitigate the potential deliberate contamination of food products.[Footnote 18] Trade association officials also said that they provided FDA and FSIS with comments on the voluntary guidelines and, in some cases, have also issued their own food security guidelines to their members. Although the officials generally believe that the agencies’ guidelines are reasonable, they do not want the government to regulate food security. They also feel that some companies, especially small facilities with limited resources, are unable to implement all the measures in the guidelines. Therefore, these officials believe it is important for the guidelines to remain voluntary. The industry is involved in improving food security in other ways as well. For example, the food industry associations formed the Alliance for Food Security to facilitate the exchange of information about food security issues. The Alliance is composed of trade associations representing the food chain, from commodity production through processing, packaging, distribution, and retail sale, as well as government agencies responsible for food and water safety, public health, and law enforcement. Similarly, led by the Food Marketing Institute, the food industry and FBI established the Information Sharing and Analysis Center (ISAC), which serves as a contact point for gathering, analyzing, and disseminating information among companies and the multiagency National Infrastructure Protection Center based at FBI headquarters. Through ISAC, FBI officials have notified food manufacturers of warnings and threats that the Center deems to be credible. ISAC also provides a voluntary mechanism for reporting suspicious activity in a confidential manner and for developing solutions. Five Processing Facilities Provide Some Indication about Industry’s Efforts: We visited five food-processing facilities, including a slaughter plant and facilities that produce beverages and ready-to-eat products. Although these facilities are not in any way representative of all food-processing plants nationwide, they provide some information about the types of security measures that some facilities are implementing. All five facilities had conducted risk analyses and, on the basis of the results, had implemented a number of security measures similar to those suggested in the FDA and FSIS guidelines. For example, all five facilities limited access to the facility through such means as requiring visitors to enter through a guard shack and to provide identification. In addition, employees at three of the facilities could enter the facility only by using magnetic cards. However, managers at the five facilities offered differing opinions about personnel security. Although all of the facilities we visited performed background checks on their employees that included verification of social security numbers, only some verified prior work experience, criminal history, and level of education. One company also required that its contractors, such as construction companies working in the facility, perform employment, education, and criminal checks of their own employees. The facilities also used different protocols for employee access to different areas within the plant. For example, at four of the facilities, employees were limited to those areas of the plant in which they worked. While the managers at these facilities generally complimented FDA’s and USDA’s security guidelines, they said that they do not want the agencies to regulate security. Rather, they believe that the agencies should develop a nonprescriptive framework or strategy for industry and then leave them to decide how to meet their individual requirements. One manager believes that food security responsibilities should be moved to the Department of Homeland Security. Finally, our discussions with trade association officials and food- processing industry officials revealed that the industry is very concerned about sharing security information with federal agencies because of the possibility that it could provide a road map for terrorist groups if it were released under the Freedom of Information Act. Although the act exempts from public release certain national security, trade secret, and commercial or financial information, industry officials are generally skeptical about the government’s ability to prevent the release of sensitive security information at food-processing facilities. FBI officials told us that they have cited these exemptions when assuring ISAC members that security information shared with them will be protected from public release. These officials explained that the courts have generally ruled that the commercial information exemption protects those who voluntarily provide the government with information if the information is of a kind that the provider would not ordinarily release to the public.[Footnote 19] However, the FBI officials we interviewed believe that the government should find some way of assuring industry that sensitive security information is protected from public release. FDA and FSIS Survey Respondents Indicate That Processing Facilities Are Implementing a Range of Security Measures: FDA and FSIS survey respondents observed a range of security measures being implemented at food-processing facilities, although both FDA and FSIS respondents were able to provide more information about those security measures that were most visible during the course of their normal inspection duties. Figure 2 shows selected categories of security measures recommended in the FDA and FSIS security guidelines that were most visible to inspectors.[Footnote 20] The majority of the FDA survey respondents said they were able to observe security measures, such as fencing around the plants’ perimeter, limiting access to restricted areas, securing hazardous materials, and providing adequate interior and exterior lighting. Likewise, most of FSIS’s circuit supervisors were able to observe outside security measures including alarmed emergency exits, plant perimeter protection, positive employee identification, and the inspection of incoming and outgoing vehicles. Figure 2: Percentage of Survey Responses Indicating Observation or Knowledge of More Visible Security Measures: [See PDF for image] [End of figure] Note: GAO survey of FDA and FSIS inspectors. Survey respondents provided fewer observations regarding other types of security measures included in the FDA and FSIS guidelines--in some instances because these measures were less visible to them. For example, FDA respondents were less able to comment on whether they noticed or knew of the presence of security measures designed to account for missing stock or for other finished product irregularities. (See fig. 3.) Similarly, FSIS respondents were less unable to comment on the extent to which facilities were performing background checks on new employees or implementing proper mail-handling practices. Figure 3: Percentage of Survey Responses Indicating Observation or Knowledge of Less Visible Security Measures: [See PDF for image] [End of figure] Figure 4: Note: GAO survey of FDA and FSIS inspectors. [See PDF for image] [End of figure] More than half of FSIS’s survey respondents stated that large plants-- those with at least 500 employees--had implemented a range of security measures, including the areas of outside security, storage, slaughter and processing, and personnel security. Fewer of these respondents observed these security measures at smaller plants. Some FDA and FSIS respondents provided additional comments that the very small firms typically lack the financial resources to implement many of the security measures suggested in the government guidelines. Similarly, some respondents commented that many of the security measures might not be necessary at smaller establishments. Additionally, most of the FDA respondents reported that they had not received training on food security; while nearly all of the FSIS respondents reported that they had recently received such training. Some of the FSIS respondents further stated that although they had received food security training, further training was greatly needed in the field. Such training would be beneficial because field personnel are encouraged to discuss security measures with managers at the facilities they inspect. Finally, responses to our survey showed that FDA and FSIS respondents have different levels of “satisfaction” with or “confidence” in the efforts of the processing facilities they inspect to ensure the protection of food from acts of deliberate contamination.[Footnote 21] While nearly half of the FSIS respondents said they were somewhat or very confident of the efforts made by the food processors they inspect, slightly over one-fourth of the FDA respondents were satisfied or very satisfied with the efforts made by the food processors they inspect. Regulatory Officials from 11 States Indicate Some Level of Satisfaction with Security Efforts: Thirty-seven food regulatory officials interviewed by state auditors in 11 states provided opinions on their overall level of satisfaction with federal, state, and industry efforts to protect food from intentional contamination. Table 1 shows that nearly half of the state regulatory officials interviewed expressed satisfaction with the efforts made by federal, state, and industry to safeguard food products--though these results cannot be generalized to all state regulatory officials. Table 1: State Officials’ Satisfaction with Federal, State, and Industry Efforts to Safeguard Food Products from Deliberate Contamination: Questions asked of 37 state food safety regulatory officials: (11 states): How satisfied are you with the federal government’s efforts?; Percentage of officials very satisfied or satisfied: 43.3; Percentage of officials neither satisfied nor dissatisfied: 32.4; Percentage of officials dissatisfied or very dissatisfied: 24.3. Questions asked of 37 state food safety regulatory officials: (11 states): How satisfied are you with the state government’s efforts?; Percentage of officials very satisfied or satisfied: 56.8; Percentage of officials neither satisfied nor dissatisfied: 29.7; Percentage of officials dissatisfied or very dissatisfied: 13.5. Questions asked of 37 state food safety regulatory officials: (11 states): How satisfied are you with industry’s efforts?; Percentage of officials very satisfied or satisfied: 43.2; Percentage of officials neither satisfied nor dissatisfied: 45.9; Percentage of officials dissatisfied or very dissatisfied: 10.8. [End of table] Source: State audit offices. Notes: Combined state survey of 37 state regulatory officials. Percentages may not total 100 because of rounding. Finally, most of the state officials interviewed by state auditors believed it was either “important” or “very important” for states to monitor whether companies have adopted security measures to prevent acts of deliberate contamination; 3 of the 11 states are already requiring their inspectors to do so. Conclusions: The vulnerability of the food supply to potential acts of deliberate contamination is a national concern. The President addressed this concern in the October 8, 2001, executive order establishing the Office of Homeland Security and adding the agriculture and food industries to the list of critical infrastructure systems needing protection from terrorist attack. The National Academies have also concluded in a recently released report that infectious agents and toxic chemicals could be used by terrorists to contaminate food-processing facilities. Among other things, the report says that FDA should act promptly to extend its Hazard Analysis and Critical Control Point methodology so it might be used to deal effectively with deliberate contamination of the food supply. The Centers for Disease Control and Prevention also reported recently on the need to better protect our nation’s food and water supplies. These assessments underscore the need to enhance security at food- processing facilities. Although FDA and FSIS recognize that need and have taken action to encourage food processors to voluntarily adopt security measures, these actions may be insufficient. Because the agencies believe that they generally lack authority to mandate security measures and are concerned that such information would be subject to Freedom of Information Act requests, they do not collect information on industry’s voluntary implementation of security measures. The agencies are, therefore, unable to determine the extent to which food processors have voluntarily implemented such measures. Both FDA and USDA have completed risk assessments. However, without the ability to require food-processing facilities to provide information on their security measures, these federal agencies cannot fully assess industry’s efforts to prevent or reduce the vulnerability of the nation’s food supply to deliberate contamination. Similarly, they cannot advise processors on needed security enhancements. Furthermore, lacking baseline information on the facilities’ security condition, the agencies would be unprepared to advise food-processing facilities on any additional actions needed if the federal government were to go to a higher threat alert. Finally, the lack of security training for FDA food inspectors on the voluntary security guidelines issued for food processors and the limited number of FSIS inspectors that have so far received training on the voluntary security guidelines hamper the inspectors’ ability to conduct informed discussions regarding security measures with facility personnel as they are currently instructed to do. Recommendations for Executive Action: In order to reduce the risk of deliberate contamination of food products, we are recommending that the Secretary of Health and Human Services and the Secretary of Agriculture study their agencies’ existing statutes and identify what additional authorities they may need relating to security measures at food-processing facilities. On the basis of the results of these studies, the agencies should seek additional authority from the Congress, as needed. To increase field inspectors’ knowledge and understanding of food security issues and facilitate their discussions about the voluntary security guidelines with plant personnel, we are also recommending that the Secretary of Health and Human Services and the Secretary of Agriculture provide training for their agencies’ field staff on the security measures discussed in the voluntary guidelines. Agency Comments and Our Evaluation: We provided FDA and USDA with a draft of this report for their review and comment. We received written and clarifying oral comments from each agency. The agencies also provided technical comments, which we incorporated into the report as appropriate. FDA agreed with our recommendation that it provide all food inspection personnel with training on security measures. Subsequently, FDA officials told us that the agency did not have an opinion on our recommendation that it study what additional authorities it may need relating to security measures at food-processing facilities. In its written comments, FDA stated that the report is factual and describes accurately the events and actions that FDA has taken on food security. FDA also commented that one of the goals of its voluntary guidance to industry is to heighten awareness of food security practices and that the role of its investigators is first and foremost food safety. FDA also said that it does not have sufficient security expertise to provide industry with consultation in this area. FDA further commented that although HACCP and other preventive controls are appropriate measures to enhance food safety, HACCP does not afford similar advantages for addressing deliberate contamination, tampering, and/or terrorist actions related to the food supply. Our report underscores that the role of FDA’s investigators is primarily one of food safety. Nevertheless, we believe that it is also crucial for cognizant agencies to have information about industry’s security efforts so that they can assess the extent to which the risk of deliberate contamination is being mitigated. We also believe that possessing such information is important if it becomes necessary to advise food processors on needed security enhancements. With regard to HACCP, our report does not take a position on the feasibility of using HACCP as a means to control deliberate contamination; instead, we report on the opinion of the National Academies. FDA’s comments are presented in appendix V. In its written comments, USDA agreed with the contents of our report. Subsequently, USDA’s food safety officials confirmed that the agency also agrees with the report’s recommendations. In its letter, USDA commented that it has already conducted a comprehensive risk assessment of the food supply without plant security information and that knowing whether a plant employed one or several security measures was not needed to assess the risk. Our report acknowledges that USDA has conducted a comprehensive risk assessment, but we believe that it is crucial for cognizant agencies to have information about industry’s security efforts so that they can assess the extent to which the risk of deliberate contamination is being mitigated. USDA’s comments are presented in appendix IV. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the Secretaries of Agriculture and Health and Human Services; the Director of the Federal Bureau of Investigation; the Director, Office of Management and Budget; and other interested parties. We will also make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at http://www.gao.gov. If you have any questions about this report, please contact Maria Cristina Gobin or me at (202) 512-3841. Key contributors to this report are listed in appendix VI. signed by Lawrence J. Dyckman: Lawrence J. Dyckman Director, Natural Resources and Environment: [End of section] Appendix I: Scope and Methodology: To determine the extent to which the current federal food safety statutes can be effectively used to regulate security at food- processing facilities, we analyzed the Food and Drug Administration’s (FDA) and the U.S. Department of Agriculture’s (USDA) existing statutory authorities. We discussed these authorities with FDA and USDA counsel and requested a legal opinion to determine the extent to which each agency believes its existing authorities allow it to regulate food security. We then independently reviewed these authorities to draw our own conclusions. To describe the actions that FDA and USDA have taken to help food processors prevent or reduce the risk of deliberate food contamination, we met with staff from FDA and FSIS to review the voluntary guidelines issued by each agency. To better understand the provisions of the guidelines, we met with agency program staff responsible for issuing the guidelines and for receiving industry comments on it. To learn how the guidelines would be implemented, we met with FDA and USDA’s Food Safety and Inspection Service (FSIS) officials responsible for field operations and with staff from field offices in Atlanta, Georgia, and Beltsville, Maryland. Finally, to gather additional information about the vulnerability of the food supply to acts of deliberate contamination, we contacted nine experts from academia, including experts in food safety and in bioterrorism. To describe how the government is determining the extent to which food- processing companies are implementing security procedures, we asked FDA and FSIS program officials about the nature of the information they are collecting about industry security measures. We also conducted surveys of agency field personnel to obtain their observations about and knowledge of food security measures taken at facilities they regularly inspect for food safety. Our FDA survey, which was Web-based, was administered to all 150 field investigators who recorded 465 or more hours for domestic food inspection from June 1, 2001 to May 31, 2002. Our survey of FSIS staff was a telephone survey of a randomly selected stratified sample of 50 circuit supervisors. Our response rate for these surveys was higher than 85 percent for FDA and 90 percent for FSIS, and respondents included participants from all the agencies’ geographic regions. Before administering the surveys, we discussed with and obtained input from FDA and FSIS program officials. We also pretested the surveys at field locations to ensure that our questions were valid, clear, and precise and that responding to the survey did not place an undue burden on the respondents. In addition, we contacted state audit offices in all 50 states to collect information about state government actions designed to prevent the deliberate contamination of food products. Of the 50 state audit offices we contacted, only 11 agreed to help us collect this information: Arizona, Florida, Maryland, Michigan, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Tennessee, and Texas. To determine the extent to which the food-processing industry is implementing security measures to better protect its products against deliberate contamination, we contacted officials from 13 trade associations representing, among others, the meat and poultry, dairy, egg, and fruits and vegetables industries and the food-processing industry. We discussed the guidelines that their organizations have issued, and they described what actions their constituents are taking to protect their products. We also visited five food-processing facilities in various geographic regions to ask corporate and plant officials about the actions they have taken to protect their products and facilities against intentional contamination. These facilities included a slaughter plant as well as facilities that produce beverages and ready-to-eat products. We recognize that the efforts of these five facilities are not necessarily representative of the whole food- processing industry. To identify the concerns that the industry has about sharing sensitive information with federal agencies, we spoke with industry representatives as well as officials from the Federal Bureau of Investigation’s National Infrastructure Protection Center. We conducted our review from February through December 2002 in accordance with generally accepted government auditing standards. [End of section] Appendix II: FDA Survey Results: [End of section] [See PDF for image] [End of section] Appendix III: FSIS Survey Results: [End of section] [See PDF for image] [End of section] Appendix IV: Comments from the U.S. Department of Agriculture: Mr. Lawrence J. Dyckman: Director, Natural Resources and Environment Team Food and Agriculture Issues: United States General Accounting Office 441 G Street, NW, Room 2T23 Washington, DC 20548: Dear Mr. Dyckman: Thank you for the opportunity to review and comment on the GAO Draft Report (GAO-03-342), “FOOD SECURITY: Voluntary Efforts Are Underway, but Federal Agencies Cannot Fully Assess Their Implementation” draft report. We generally agree with the contents of this report. However, please consider the following comment. On page 22 GAO concluded that the “...federal agencies cannot fully assess the vulnerability of the nation’s food supply, or advise processors on needed security enhancements. Restate sentence to read: “...federal agencies may have a difficult time assessing the vulnerability of the nation’s food supply...”: FSIS, as acknowledged on page 7 of the report, has completed a risk assessment of the food supply from farm to table. However, FSIS did not require information on the plant security measures to conduct its risk assessment. FSIS made the assumption that plant security measures could be overcome by a determined terrorist and that certain commodities or processes could be more at risk than others to an attack. Security measures could lessen the risk, but the risk would still exist. The risk assessment evaluated which agents could be used on the food supply, which agents are easy to obtain or produce, and assessed whether the food-processing product had any mitigation factors that would prevent or lessen an intentional attack. These assumptions were then used to develop a risk model. Knowing whether a plant employed one or several security measures was not needed to assess the risk. We have enclosed a few editorial comments for your consideration. Sincerely, Signed by Garry L. McKee: Garry L. McKee, Ph.D., M.P.H. Administrator: [End of section] Appendix V: Comments from the Food and Drug Administration: DEPARTMENT OF HEALTH & HUMAN SERVICES: Food and Drug Administration Rockville MD 20857: January 22, 2003: Mr. Lawrence J. Dyckman: Director, Natural Resources and Environment United States General Accounting Office 441 G Street, NW: Washington, DC 20548: Dear Mr. Dyckman: Please find the enclosed comments from the Food and Drug Administration on the GAO draft report entitled, FOOD SECURITY: Voluntary Efforts Are Underway, but Federal Agencies Cannot Fully Assess Their Implementation (GAO-03-342). The Agency provided extensive technical comments directly to your staff. We appreciate the opportunity to review and comment on this draft report before its publication as well as the opportunity to work with your staff in developing this report. Sincerely, Signed by Mark B. McClellan: Mark B. McClellan, M.D., Ph.D. Commissioner of Food and Drugs: Enclosure: General Comments by the Department of Health and Human Service’s Food and Drug Administration (FDA) on General Accounting Office’s (GAO) Draft Report FOOD SECURITY: Voluntary Efforts Are Underway, but Federal Agencies Cannot Fully Assess Their Implementation GAO-03-342): FDA appreciates the opportunity to comment on GAO’s draft report. The report is factual and describes accurately the events and actions taken by FDA related to food security as well as the sensitive nature of the information related to security measures taken by the food-processing industry. GAO also accurately acknowledges efforts taken by FDA and other government agencies to enhance safety and security of regulated products. These efforts, in conjunction with the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, are primarily directed toward imported products. The draft report discusses the different views between USDA and FDA on its authorities to address security concerns. In point of fact, our positions are very similar and any slight difference is more an issue of semantics rather than of substance. FDA would like to stress that the goal of its voluntary guidance to industry on security is not only to facilitate an exchange of information between FDA and industry on the subject of food security but also to heighten awareness of their food security practices. FDA does not possess sufficient resources in security expertise per se to provide consultation to the industry in this area. However, if we heighten awareness of security issues, the industry can consult with security experts to review their facility and adopt appropriate procedures. The role of the FDA investigator is first and foremost food safety and, as an ancillary role, to observe food security measures as they relate to the food safety investigation. FDA is only obliged to observe and comment when certain measures are not easily visible and do not link up and when they coincide with the primary purpose of the investigation. In addition, FDA agrees with GAO that Hazards Analysis Critical Control Points (HACCP) and other preventive controls are appropriate measures to reduce and or eliminate food safety contamination but do not believe HACCP affords similar advantages to deliberate contamination, tampering and or terrorist actions to the food supply. Accordingly, and in cooperation with the U.S. Air Force, FDA employed the Operational Risk Management approach to identify and minimize food security risks. GAO’s Recommendations for Executive Action: 1. In order to reduce the risk of deliberate contamination of food products, we are recommending that the Secretary of Health and Human Services and the Secretary of the Agriculture study their existing statutes and identify what additional authorities they may need relating to security measures at food-processing facilities. Based on the results of the study, the agencies should seek additional authority from the Congress, as needed. FDA response: FDA believes that its authorities under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act would extend to the regulation of facility security measures to prevent the intentional contamination of food products to the extent they overlap with food safety. As we have previously reported, the General Counsel in the Department of Health and Human Service’s Offic e of the Assistant Secretary for Legislation advised that FDA’s authorities under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act provide FDA with tools to adopt measures to control insanitary preparation, packing, and holding conditions that may lead to unsafe food, detect contamination of food, and control contaminated food. However, HHS counsel also advised that FDA’s food safety authorities do not extend to the regulation of physical facility security measures to prevent intentional contamination of food products. FDA counsel believes that to the extent that food safety and security overlap, FDA might be able to require industry to take steps to improve security depending on the particular measure at issue, but observed that there is likely to be little overlap between safety and security in various areas, e.g., background checks of employees. 2. To increase field inspectors’ knowledge and understanding of food security issues and facilitate their discussions about the voluntary security guidelines with plant personnel, we are also recommending that the Secretary of the Department of Health and Human Services and the Secretary of Agriculture provide training for the agency’s field staff on the security measures discussed in the voluntary guidelines. FDA response: FDA plans to conduct “formal” training on the guidance to industry on food security in addition to the formal instructions previously provided to FDA field staff on the guidance. We agree that the training FDA delivers to field staff will: *Discuss the content of the guidance and how food security activities are integrated into a food safety inspection; *Address food security as it relates to the guidance to industry as an ancillary function of a food safety inspection and/or investigation; *Encourage inspectors not to delve beyond those facility operations that are directly a part of a food safety investigation; and: *Not be considered to confer expert credentials for security upon FDA investigators but simply improve their abilities to heighten awareness of facility management on food security at the time of the food safety investigation. [End of section] Appendix VI: GAO Contacts and Staff Acknowledgments: GAO Contacts: Lawrence J. Dyckman, (202) 512-3841 Maria Cristina Gobin, (202) 512-8418: Acknowledgments: In addition to those named above, John Johnson, John Nicholson, Jr., Stuart Ryba, and Margaret Skiba made key contributions to this report. Nancy Crothers, Doreen S. Feldman, Oliver Easterwood, Evan Gilman, and Ronald La Due Lake also made important contributions. FOOTNOTES [1] FDA’s HACCP program applies only to seafood and juice, not to all FDA-regulated food. [2] See U.S. General Accounting Office, Food Safety: Overview of Federal and State Expenditures, GAO-01-177 (Washington, D.C.: Feb. 20, 2001). [3] This act contains provisions that provide FDA with new authority to detain products that are believed to present a serious health threat. It also authorizes FDA to debar importers who have been convicted of certain food import violations, which results in the denial of delivery of products to those importers. [4] Operational Risk Management is an approach to risk assessment that increases operational effectiveness by anticipating hazards and reducing the potential for loss. [5] On November 25, 2002, President Bush signed the Homeland Security Act of 2002, which created the Department of Homeland Security. The Department will replace the Office of Homeland Security. [6] See National Research Council of the National Academies, Making the Nation Safer: The Role of Science and Technology in Countering Terrorism (Washington, D.C: June 2002). [7] See Centers for Disease Control and Prevention, Public Health Assessment of Potential Biological Terrorism Agents, Emerging Infectious Diseases (Atlanta, Ga.: February 2002). [8] FDA, under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, and USDA, under the Federal Meat Inspection Act, Poultry Products Inspection Act, and the Egg Products Inspection Act, have broad authority to regulate food safety. These laws require that food products be processed under sanitary conditions, be unadulterated, and be properly labeled. [9] USDA’s view on its authority to impose security requirements that are closely related to sanitary conditions is derived from the food safety laws’ prohibitions against adulteration. Adulterated food is virtually identically defined in the Federal Food, Drug, and Cosmetic Act and the Federal Meat, Poultry Products, and Egg Products Inspection Acts as food that has been “prepared, packed, [“packaged” in the egg inspection act] or held under insanitary conditions whereby it may have become contaminated with filth, or whereby it may have been rendered injurious to health.” See 21 U.S.C. 342(a)(4), 21 U.S.C. 601(m)(4), 21 U.S.C. 453(g)(4) and 21 U.S.C. 1033(a)(4). [10] FDA was first to issue guidelines in January 2002; FSIS subsequently issued its guidelines in May 2002. [11] See www.cfsan.fda.gov/~dms/secguid.html for FDA and www.fsis.usda.gov/oa/topics/securityguide.htm for FSIS. [12] Eleven of the 50 state audit offices we contacted for assistance in interviewing their food regulatory officials responded to our request. The participating state auditing offices were Arizona, Florida, Maryland, Michigan, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Tennessee, and Texas. Because the state auditors collected information from only 11 states, these observations cannot be generalized. [13] According to an FSIS memorandum to its field personnel, “heightened alert” is defined as identifying and reporting any suspicious activities that could adversely affect our nation’s security. [14] The Technical Service Center provides field inspection personnel with technical assistance, advice, and guidance regarding the implementation of national policies, programs, and procedures. The center also serves as a central point for reporting and responding to suspicious activities related to food security. [15] The vulnerability assessment must include, among other things, a review of pipes and constructed conveyances; physical barriers; and water collection, pretreatment, treatment, storage, and distribution facilities. [16] The facilities vary in size from 100 to 800 employees. [17] We surveyed 50 FSIS Circuit Supervisors (obtained responses from 45) who oversee the activities of the agency’s field inspectors and 150 FDA investigators (obtained responses from 128) who perform the inspections of food-processing facilities to ask about the security measures they have observed at the plants they inspect. Our survey included questions about outside security, visitor access, employee screening, and shipping and handling, among others. The methods used and results from these surveys are contained in appendixes II and III. [18] The National Food Processors Association is in the process of evaluating the results from its food security survey of its members, but not all of the results were ready in time to be included in this report. [19] See, for example, Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F. 2d 871 (D.C. Cir. 1992) (en banc) cert. denied, 507 U.S. 984 (1993) (information in safety reports voluntarily provided to the Nuclear Regulatory Commission by nuclear safety groups was confidential and thus exempt from disclosure under the Freedom of Information Act’s exemption for financial or commercial information). [20] Security measures listed in FDA’s and FSIS’s food security guidelines are somewhat different. The agencies developed their guidelines in January and May 2002, respectively, and did not coordinate their efforts. [21] FDA preferred that we ask about the level of “satisfaction,” while FSIS wanted us to ask about the level of “confidence.” GAO’s Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO’s Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily E-mail alert for newly released products” under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: